FNB App (iPhone) - Lates update forces use of a weak password

alanB

Well-Known Member
Joined
Feb 18, 2008
Messages
216
The FNB App on the iphone is normally an absolute pleasure to use. But after the latest update its become temporarily unusable for me. At this point I cannot log in.

The reason being is they have disabled the ability to paste your password into the password field. After querying this with their call centre where the agent initially tried to say it was a "device fault" and had nothing to do with their app, he finally relented and said it was probably a change implemented in the latest update (he wasn't sure).

But it definitely will not allow any sort of pasting into that field after many attempts, while that used to work fine before.

The reason why this is a big issue for me is that I use a password manager to ensure I have cryptographically secure passwords for critical applications (what could be more critical than your banking app?).

My current password is 20 characters long, I have no idea what it actually is. One of the rules of thumb of secure passwords is that if you can remember it, it's not secure.

But now FNB seems to be forcing me to type in the password?

Typing things accurately is difficult on a smart phone at the best of times, especially when you use a mixture of characters which requires switching between the various different types of keyboards. With a long password, the chances of making errors and locking yourself out is very high IMO.

It is much more secure copying the password from the password manager and then simply pasting it into the field. During that process, it's never visible to anyone else (not even me) and you can be sure its correct, and you can use a nice long complex password.

I'm told that I have no option now but to reset my password and use something that I can type easily and remember. This seems like a major decrease in security to me.

Not sure which genius decided this would be a good idea, but it's pretty irritating!

I take security seriously. I'm also well aware that if someone accesses my account by compromising my password, FNB will renounce all responsibility. But yet they force me into a situation in which I have to use a weak password! It just seems like pretty poor decision from a security point of view.

And apparently I cannot roll back to a previous backed up version of the app, apparently once you upgrade they wont allow the previous version to connect (I can understand the rationale behind that, but it's still irritating).

I use the app a lot and this is definitely going to make it harder and less secure to use!
 

PhireSide

Executive Member
Joined
Dec 31, 2006
Messages
8,687
What about a password manager service such as Lastpass? On Android at least, it has the Form Fill ability which I use when logging in.

Off topic but something that made me think - does your phone clear the clipboard after you used to paste your password or does it remain in memory after the passphrase is used?

Which iPhone are you using? Can't you enable biometric security by using TouchID instead of a password?
 

alanB

Well-Known Member
Joined
Feb 18, 2008
Messages
216
The password manager I use clears the memory (after a user defined period) and protects the password while in memory as far as I know.

The app now blocks any attempt to copy or paste into that field. As far as I can see you have to type it yourself.

I don't like TouchID for critical apps like banking. (Your fingerprint is not a good thing to use as an access key for something like that because its easily replicated, and once compromised you cannot grow a new different one.)

After getting over my irritation, I just reset my password and used a more simple password. I had no choice really. I don't think it's a great decision because it definitely seems to be a degradation in the level of security.

But a mitigating factor of limiting wrong guesses to 3 attempts does mean that there is some protection against hacking the password via brute force.
 

McGuywer

Executive Member
Joined
Jun 28, 2006
Messages
6,161
I am also very frustrated by this.

My issue is that I have a iPhone 4s. So I do not have Touch ID.
I basically don't use the app anymore.
 

PhireSide

Executive Member
Joined
Dec 31, 2006
Messages
8,687
The password manager I use clears the memory (after a user defined period) and protects the password while in memory as far as I know.

The app now blocks any attempt to copy or paste into that field. As far as I can see you have to type it yourself.

I don't like TouchID for critical apps like banking. (Your fingerprint is not a good thing to use as an access key for something like that because its easily replicated, and once compromised you cannot grow a new different one.)

After getting over my irritation, I just reset my password and used a more simple password. I had no choice really. I don't think it's a great decision because it definitely seems to be a degradation in the level of security.

But a mitigating factor of limiting wrong guesses to 3 attempts does mean that there is some protection against hacking the password via brute force.
I just tried in my FNB app on Android

I am not able to paste in the password field either, unless I type one character and click Show to remove the dots from the entered text. After that, the Paste option becomes available.

I myself have a long password for my online banking that I have memorized and not written down anywhere else. The same goes for my Lastpass password and my Gmail password. All the rest are randomly generated ones stored within Lastpass. It's probably not foolproof, but it's what I feel is secure enough for my needs.
 

McGuywer

Executive Member
Joined
Jun 28, 2006
Messages
6,161
I just tried in my FNB app on Android

I am not able to paste in the password field either, unless I type one character and click Show to remove the dots from the entered text. After that, the Paste option becomes available.
Thanx for the suggestion but the type, show and then paste does not work on a Apple.
 

krycor

Honorary Master
Joined
Aug 4, 2005
Messages
14,946
Whats annoying is that there is a way for devs to request the use of password managers and a few apps do this.. others don't bother.

Question though.. with the new iOS updates i see that password fields cater for KeyChain on apps where the password field does not specifically cater for pwd managers. Does that not show on the FNB app ? (I'm not loggin out of mine.. haha)
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
****ing hell OP what a moan.

Type the thing once and enabled Touch ID. Problem solved.

You know full well they've removed the paste option to protect most idiots from themselves.


****

On iOS 12 it supports Keychain so quite possibly they are preparing for that and this might not even be coming from FNB directly but rather Apple SDK best practice.

Also with iOS supporting Copy/Paste across multiple devices doing this (pasting from elsewhere) with your password is a security risk in and of itself.
 
Last edited:

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
Question though.. with the new iOS updates i see that password fields cater for KeyChain on apps where the password field does not specifically cater for pwd managers. Does that not show on the FNB app ? (I'm not loggin out of mine.. haha)
Yes it does.

It's not great as the integration could have been deeper/more automatic but it's a fine solution to this paste issue but then at the same time might as well just have logged in with Touch ID directly.
 

thompsdc

Active Member
Joined
Jul 29, 2008
Messages
81
****ing hell OP what a moan.

Type the thing once and enabled Touch ID. Problem solved.

You know full well they've removed the paste option to protect most idiots from themselves.


****

On iOS 12 it supports Keychain so quite possibly they are preparing for that and this might not even be coming from FNB directly but rather Apple SDK best practice.

Also with iOS supporting Copy/Paste across multiple devices doing this (pasting from elsewhere) with your password is a security risk in and of itself.
So not everyone has Touch ID - not problem solved.

And even if you have Touch ID but you have a Business account, the FNB app for business does not support Touch ID (afaik) and you have to type the password out there.

In general the security industry regards disabling of pasting passwords as 'security theatre' and will end up making the problem worse, not better (https://www.troyhunt.com/the-cobra-effect-that-is-disabling/)
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
So not everyone has Touch ID - not problem solved.

And even if you have Touch ID but you have a Business account, the FNB app for business does not support Touch ID (afaik) and you have to type the password out there.

In general the security industry regards disabling of pasting passwords as 'security theatre' and will end up making the problem worse, not better (https://www.troyhunt.com/the-cobra-effect-that-is-disabling/)
Well people need to get with the times.

Like I said this problem will be resolved in iOS12...which requires a Touch ID phone as well so resolves both those problems.

Also you don't know for sure that this applies to phones that don't have Touch ID or were you making a personal statement?

The Business Account not supporting Touch ID is very very odd.
 

thompsdc

Active Member
Joined
Jul 29, 2008
Messages
81
Well people need to get with the times.

Like I said this problem will be resolved in iOS12...which requires a Touch ID phone as well so resolves both those problems.

Also you don't know for sure that this applies to phones that don't have Touch ID or were you making a personal statement?

The Business Account not supporting Touch ID is very very odd.
Well no, not everyone can or will upgrade to a device with fingerprint sensors when their current device works just fine.

Not everyone has an iPhone either, these apps need to work across device platforms, and I don't think that the number of devices with fingerprint sensors is greater than those without, and since the industry considers disabling of passwords as 'less secure', the net effect is a general decrease in app security.

I have an android phone without a touch sensor and I cannot paste my passwords.

My colleague who has an iPhone with TouchID must enter the password for the business banking app - I saw it yesterday.
 

alanB

Well-Known Member
Joined
Feb 18, 2008
Messages
216
Well people need to get with the times.

Like I said this problem will be resolved in iOS12...which requires a Touch ID phone as well so resolves both those problems.

Also you don't know for sure that this applies to phones that don't have Touch ID or were you making a personal statement?

The Business Account not supporting Touch ID is very very odd.
Using biometrics for secure applications is a bad idea.

How many fingerprints do you leave behind you each day in public places? Can you control that to any practical degree?

A quick search for "hacking TouchId" brings up numerous examples of how to do that such as https://www.bankinfosecurity.com/apple-iphone-6-touchid-hacked-a-7348

So I would suggest its bad advise telling people to "get with the times", on this issue. Just because something is convenient does not make it secure, in fact, convenience is usually inversely correlated with security.

The issue I raised is not a massive one, merely an irritation.

I prefer to try and INCREASE my levels of security when it comes to online banking, where possible, instead of being forced to decrease them, as is the case here.

But as I said given that the banking system locks one out after three attempts (and PROVIDED that always works), then using a more simple password is not a train smash. But as I said I would have preferred not to have been forced to do that.
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,768
Using biometrics for secure applications is a bad idea.

How many fingerprints do you leave behind you each day in public places? Can you control that to any practical degree?

A quick search for "hacking TouchId" brings up numerous examples of how to do that such as https://www.bankinfosecurity.com/apple-iphone-6-touchid-hacked-a-7348

So I would suggest its bad advise telling people to "get with the times", on this issue. Just because something is convenient does not make it secure, in fact, convenience is usually inversely correlated with security.

The issue I raised is not a massive one, merely an irritation.

I prefer to try and INCREASE my levels of security when it comes to online banking, where possible, instead of being forced to decrease them, as is the case here.

But as I said given that the banking system locks one out after three attempts (and PROVIDED that always works), then using a more simple password is not a train smash. But as I said I would have preferred not to have been forced to do that.
The point for TouchID was over that of using a simple password to get around the problem.

Also just because it’s possible to hack biometrics doesn’t mean it’s not secure. Nothing is fully secure.

It’s a case of having many points of failure in play over just a simple password.

There are many steps involved for someone to hack your Touch ID. First stealing your fingerprint with seriously advanced tools, then stealing your phone.

If you are being targeted like that the much higher chance of success would be so simply put a gun to your head and demand your password or that you unlock your phone.

And even then it would be simpler to attack another device than trying to steal your fingerprints.

And I’ve already explained this is all resolved in iOS12.
 

alanB

Well-Known Member
Joined
Feb 18, 2008
Messages
216
Just one more point on TouchID.

As many people point on the net, your fingerprint is often left on the button, so anyone gaining access to your phone (for eg if it was stolen), is often provided with a copy of your fingerprint with it free of charge.

Just saying...

Oh and one other thing, which is completely relevant, but it comes to mind nevertheless. Apparently in the US it is legal for the police to use force if necessary to take your fingerprints, but they cannot use force to get you to provide a password. I'm not sure what our laws say on that subject here, but if you happen to be in the position that you want to retain privacy of your phone when being questioned by the police in the US (not that I'm suggesting you are drug dealer, but...:D), using TouchID in that case is also not a good idea.:erm:
 

phly

Expert Member
Joined
Mar 13, 2013
Messages
1,267
I should think twice then as I use Touch ID for FNB bank as I use it so much I dont even know my password anymore and its an easy one i think. I just dont recall it as I open the app and place my finger and I am in. works everytime!
 

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
14,578
So not everyone has Touch ID - not problem solved.

And even if you have Touch ID but you have a Business account, the FNB app for business does not support Touch ID (afaik) and you have to type the password out there.

In general the security industry regards disabling of pasting passwords as 'security theatre' and will end up making the problem worse, not better (https://www.troyhunt.com/the-cobra-effect-that-is-disabling/)
My FNB account is a business one and I use fingerprint authentication just fine with the FNB app on Android.
 

Mcwidowmaker

Well-Known Member
Joined
Mar 22, 2005
Messages
142
This security feature now affects lastpass on desktop as well. This is going to seriously suck as I have to use a less secure password. No way I am going to memorise my 20 length password from lastpass.
 
Top